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Model checkers use automated state exploration in order to prove various properties such as reach¬ 
ability, non-reachability, and bisimulation over state transition systems. While model checkers have 
proved valuable for locating errors in computer models and specifications, they can also be used 
to prove properties that might be consumed by other computational logic systems, such as theorem 
provers. In such a situation, a prover must be able to trust that the model checker is correct. In¬ 
stead of attempting to prove the correctness of a model checker, we ask that it outputs its “proof 
evidence” as a formally defined document—a proof certificate—and that this document is checked 
by a trusted proof checker. We describe a framework for defining and checking proof certificates for 
a range of model checking problems. The core of this framework is a (focused) proof system that is 
augmented with premises that involve “clerk and expert” predicates. This framework is designed so 
that soundness can be guaranteed independently of any concerns for the correctness of the clerk and 
expert specifications. To illustrate the flexibility of this framework, we define and formally check 
proof certificates for reachability and non-reachability in graphs, as well as bisimulation and non¬ 
bisimulation for labeled transition systems. Finally, we describe briefly a reference checker that we 
have implemented for this framework. 


1 Introduction 

Model checkers are one way in which logic is implemented. While one of the strengths of model checkers 
is to aid in the discovery of counterexamples and errors in specifications ||6J, they can also be used to 
prove theorems. Furthermore, such theorems might be of interest to other computational logic systems 
such as more general theorem provers. One then encounters the problem of whether or not such a theorem 
prover is willing to trust that model checker or at least a particular theorem it proves. Formally verifying 
a model checker might be both extremely hard to do and undesirable especially if that checker is being 
revised and improved. A more plausible option might be to have a model checker output its “proof 
evidence” as a document (a certificate). If that proof certificate can be formally checked by a trusted 
checker, one might then be willing to use the theorem in a theorem prover. 

Of course, model checkers are asked to solve many kinds of problems so their proof evidence might 
take many different forms, ranging from decision procedures to paths in graphs, bisimulations, traces, 
and winning strategies. If we need to have trusted checkers for all these different kinds of proof evidence, 
then maybe we have not really improved the situation of trust. Here, we contribute to the foundational 
proof certificate (FPC) effort lfl3l by providing a framework for defining the semantics of a range of 
proof evidence that naturally arises in model checking. Such a formal semantic model for proof evidence 
allows anyone to build a proof checker of any formally defined evidence. Furthermore, it is possible to 
have an implementation of the entire framework of FPC so that this one system could check a wide range 
of proof evidence. 

While this paper has a number of parallels with FPCs for first-order logic in |[5j], that work was limited 
to first-order logic without fixed points and, as a result, that work was not directly applicable to topics of 
model checking and inductive and co-inductive theorem proving. 
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2 Proof theory for fixed points and certificates 

Having proof certificates that are foundational here means that we need to find proof theoretic descrip¬ 
tions of model checking. We shall now describe a few recent developments in proof theory that we bring 
together in this paper. Of course, the topic of model checking is mature and varied. In order to lay 
down a convincing and direct proof theory for model checking, we eschew many of its more advanced 
topics—e.g., predicate abstraction and partial order reduction—for later consideration. 

2.1 Fixed points as defined predicates 

One of the earliest applications of sequent calculus to computational logic was to provide an execution 
model for logic programming lfl5l . That analysis, however, supported only the “open world assumption” 
of logic programming: negation-as-finite-failure was not touched by that work. Schroeder-Heister |fT9l 
and Girard liTOl showed how sequent calculus could be extended with inference rules for fixed points (or 
defined predicates), thereby embracing important aspects of the closed world assumption and negation- 
as-finite-failure. The key additions to sequent calculus were rules for unfolding fixed point expressions as 
well as dealing with equality over the Herbrand universe. A series of papers |8]|T2][T6l added induction 
and co-induction to the sequent calculi for intuitionistic and classical logics. Those papers have been 
used to design the Bedwyr model checker |[4[ |20l l and the Abe 11a interactive theorem prover |[3j]- 

Fixed point expressions will be written as pBt or vBt, where B is an expression representing a 
higher-order abstraction, and t is a list of terms. The unfolding of the fixed point expression pBt is 
written as B(pB)t. It is important to understand that we shall treat both p (least fixed point operator) 
and v (greatest fixed point operator) as logical connectives since they will have introduction rules: they 
are also de Morgan duals of each other. 

2.2 Fixed points in linear logic 

Surprisingly, it is linear logic and not intuitionistic or classical logics per se that is most relevant to our 
exposition on model checking. The logic MALL ( multiplicative additive linear logic ) is an elegant, small 
logic that is, in and of itself, not appropriate for formalizing mathematics and computer science since it 
is not capable of modeling unbounded behaviors (for example, it is decidable). While Girard extended 
MALL with the “exponentials” (! and ?) (9), Baelde |[2]| extended it by adding the least (p) and greatest 
(v) fixed points operators as logical connectives. The resulting logic, called pMALL, forms the proof 
theoretic foundation of this paper. 

To make the use of linear logic easier to swallow for those more familiar with model checking, 
we adopt the following shallow changes to its presentation. First, we use a two-sided sequent calculus 
instead of the one-sided calculus used for pMALL. While this change will double the size of our proof 
system, it will make inference rules look more familiar. Second, we replace the linear logic connectives 
with familiar connectives (although with annotations). In particular, we replace (g>, &, ® and their units 
1, T and 0 with A + , A - , V, t + , t~ and / + , respectively. (Truth functionally, the two versions of these 
operators are equivalent: their differences only influence the structure of focused proofs.) We also replace 
the negatively biased false _L with /“, and instead of the multiplicative disjunction A pB, we use the 
implication A 1 - DB: the de Morgan dual of A D B is A A" B . Negation is written as • D / . 

In addition, we consider p as positive and v as negative; this arbitrary choice has been shown to give 
a convenient natural interpretation to the structure of focused proofs ||2J|. We therefore have the negative 
connectives f~, D, t~ , A - , V, f and v, and the positive connectives t + , A + , / + , V, 3, = and p. 
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2.3 Focused proof systems 

In order to have the kind of control we need to support a definable notion of proof certificate, we make 
use of a focused proof system. Such sequent calculus proof systems are built from alternating phases 
which allow us to define flexible proof building protocols that can be used to drive proof search. During 
the asynchronous phase of proof building, simple (invertible) computations build a proof and during 
the synchronous phase, information needed for the construction of a proof (such as which branch of a 
disjunction to prove) must be found. 

Focusing requires polarizing all formulas as being either negative or positive. A formula is negative 
or positive according to its top-level connective, and it is purely negative (resp. purely positive ) when 
its connectives are positive if, and only if, they occur under an odd (resp. even) number of implica¬ 
tions. Notice that the de Morgan dual of a positive (resp. purely positive) formula is a negative (resp. 
purely negative) formula. We call a formula bipolar when it is made of purely negative (resp. positive) 
subformulas occurring under an even (resp. odd) number of implications in a purely negative context. 

Focusing also relies on the sequents having additional storage zones on each side of the turnstile, 
where formulas can be stored and left untouched by logical inference rules. For instance, the usual one¬ 
sided focused presentation of /./MALL |[2j] has one of these zones, similarly to the focused proof system 
for linear logic given by Andreoli |[Q. A two-sided subsystem of /iMALLF, called pF, makes use of 
two storage zones, noted JY and &, which are lists of, respectively, negative and positive formulas. 
(Appendix [Bjcontains an example of a pF proof.) Between the arrows and the turnstile, are the contexts 
r and A: these are lists of formulas in (unfocused) j)-sequents, and sets of up to one formula in (focused) 
1)-sequents. The sequents of the pF system are therefore: 

JY f[ F F Af[ FY unfocused, similar to the pMALLF sequent 

jJ-AF left-focused, similar to Fjj-A^ 

FA j) right-focused, similar to FI) A 

2.4 Foundational proof certificates 

If we think of the implemented of computational logic systems ( e.g ., model checking systems) as our 
clients, our job in this project is to formally check our client’s proof evidence for formal correctness. 
Our approach is to have this evidence translated into a sequent calculus proof. Of course, we would not 
dream of asking our clients to supply a sequent calculus proof in the first place: such proofs are often 
huge, too messy, and too esoteric. Instead, we want to take from our clients objects with which they 
are familiar (e.g., paths, simulations, etc.) and find flexible and high-level means to have our framework 
extract information from those objects in order to trace out a complete formal sequent calculus proof. 

To this intent, Figures [T] and [2] present pF a , which is a version of pF augmented with a term S 
(encoding an actual certificate) as well as with clerk and expert predicates (examples of which we provide 
soon). This augmentation has two components. First, every sequent (either -f|' or 1)) is given an extra 
argument we write as S. Thus, sequents now display as 

E^-fjTF Ajr S: J)A F , and S:FAJ). 

Second, every inference rule is given an additional premise. In all cases, this premise is an atomic 
formula with either a clerk or expert predicate as its head symbol: if the conclusion of the inference rule 
is a J)-sequent, then the premise atom uses an expert predicate (noted *,,(...) for the rule *); otherwise, 
the conclusion is an ^-sequent and the atom uses a clerk predicate (noted *, {... )). 
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In the case of the clerk rules, the premise atom relates the S value of the concluding sequent with the 
corresponding value of S for all premises: e.g., 

Hi '.JV flAi,rb Af|- Z 2 :yFftA 2 ,r\-A1f V c (E 0 ,Ei,S 2 ) w 
E 0 :^fA 1 VA 2 ,rhAt 1 

In this way, the certificate E, intended to aid in the proof of the concluding sequent, can be transformed 
into two certificates that are used to prove the two premise sequents. We refer to the predicates used in 
the asynchronous phase as clerks since these predicates do not need, in general, to examine the actual 
information in the proof certificate (except for the induction and co-induction rules, there is no consump¬ 
tion of information during the asynchronous phase). Instead, the clerks are responsible for keeping track 
of how a proof is unfolding: for example, Si might be a copy of So but with the fact that checking has 
moved to the left premise instead of the right premise. 

Experts are responsible for extracting information from a certificate. For example, pF a contains the 
inference rule 

Ei: F Cf jj- 3 e (E 0 ,Ei,t) 

S 0 : h Bx.Cxty dR 

Notice here that the exists-expert •. •) not only computes the continuation certificate Si but also a 
term t to be used to witness the existential variable. 

The exact nature of both certificate terms E and of the clerk and expert predicates is not important to 
guarantee soundness of this system. That is, no matter how certificates, clerks, and experts are specified, 
if there is a proof in pF a then there is a proof in pF of the same sequent, which can be obtained by 
deleting from the proof in pF a all references to S, including the additional premises. Notice also that 
experts are not required to act particularly expertly: it is entirely possible for the 3 e (So, Si ,t) premise to 
functionally determine one t from So, or to relate all terms t to S. In the latter case, the actual value of t 
used in a successful pF a proof is determined from other aspects of the proof checking process (typically 
implemented using unification). 

3 A proof system underlying model checking 

FPCs were first proposed in [HHEl in the context of first-order logic and were used successfully to define 
and check proof evidence in the form of resolution refutations, Herbrand instances (expansion trees), 
natural deduction (A-terms), Frege proofs, etc. We shall now adapt this approach to formally define the 
semantics of a range of proof evidence that can arise in simple but real model checking problems. 

We shall later illustrate just how such a formal semantics can be provided for the following four 
kinds of proof evidence. These particular examples have been selected for their universality: numerous 
problems in model checking are related to them. 

1. The fact that two nodes are related by the transitive closure of a graph’s adjacency relation can be 
witnessed by an explicit path through the graph. 

2. The fact that two nodes are not related by transitivity can be witnessed by pointing out that the 
reachable set of one does not contain the other. 

3. Given an FTS (labeled transition system), the fact that two nodes are si mi lar/hi si mi lar can be 
witnessed by a set of pairs called simulation!bisimulation. 

4. If two nodes in an FTS are not bisimilar, then there is a Hennessy-Milner logic (HML) formula that 
is satisfied by one but not by the other. 




Q. Heath and D. Miller 


15 


Asynchronous connective introductions 


=* c (s 0 ,Si) 4(s 0 ,Si) , 

Sn:,A / fts = f,n-Al> L Zni^Vit bj^fft ^ R ' 


: jV fts = ?,rb Aft 

S| ^trhAt ^(So.SQ 4 
S () :AKtf+,rbAft tL 
Zr.^ltAiAi^hAt A+ c (E 0 ,Si 


So^t^A+Aj.ri-At 

4 (So) 


A L 


4* 


"ft- b 5 7^ t ft 

Si: Abfr b ft /b (S 0 ,5i) 

So^tbft 

ft Ai b A 2 ft 3,(50,50 
S 0 :^t ^AiDA 2 ^ 

4(So) 


S> R 


2o:Ab-ff 1 s' = f,rb Af L+ SoiAbff bs/f ft 




/c + (So) 


S 0 :Abt/ + ,rbAt 


fi 


t c (So) 


2 0 :Abft bf ft 


V L 


i: ^ ft A i, T b A ft S 2 \JV ft A 2 .rb Aft V c (S Q ,Si,S 2 ) 

S 0 :Ab ffAi VA 2 ,rb A ft 

b-^ t bAit S;:^ f bA 2 f A~ c -(S 0 ,Si ,S 2 ) 

S 0 :^t b A! A - A 2 f|' A R 

5 i 3 ’:aK tCj,Tb At 3 c (S 0 ,Si) S ly.Jf ft b Cy ft V C (E 0 ,S 1 ) 

_ 3 L -. A/ A I - VR 


So: jV ft ^x Cx,Y b A ft 
Synchronous connective introductions 


Soio/^ft b Vx.Cx ft 


44 o) ,f —e(^o) _ s 

So: -Ij -1 7^ t b So: b t = t -If R 

Si: b Aiff S 2 :flA 2 b D e (S 0 .S 1 ,S 2 ) 

S 0 : t^iDA 2 b L 

Si 4J-A/ b A~ f (5 0 ,Si,/) 

So: t A i A - A 2 b L 

Si : t Ct b V g (So,Si,/-) w 
S 0 : fJ.Vjr.Cjrb Vi 

Structural rules 

SuAftrbAft store L (S 0 ,Si) c 
S 0 : ftIV,Tb Aft bL 


fe (So) f e + (Sp) + 

So: y~ I - L So: b f + ft R 

5] : b Ai ft S 2 :: b A 2 ft A + g (S 0 , S t , S 2 ) + 

S 0 :bA 1 A+A 2 t A R 

^*1 3 A; ft Vt^Oi Hi i. ij 
So: b Ai VA 2 ft R 

Si: b Ct ft 3 c (So,Si A) 

S 0 : b3.vC.Tt dR 


Sj: ft b ft P storey(S 0 ,Si) 

So: t I - P t 


Si: fJ-iVb decide L (S 0 ,Si) 
So Nit I- t 

SuftPbft release L (S 0 ,Si) 
S 0 : fJ-Rb 


D L 


R L 


Si: bPt decide R (S 0 ,Si) 

S 0 : ft 1“ fi R * 

Si: ft b A ft release^ (S 0 , Si) 
S 0 : b At 


R R 


Figure 1: The /./ F ( “ proof system. (This proof system is best viewed using color). 
y stands for a fresh eigenvariable, s and t for terms, N for a negative formula, R for a positive formula, 
and C for the abstraction of a formula over a variable. 

The f proviso requires that 6 is the mgu of s and t, and the $ proviso requires that s and t are not unifiable. 
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Fixed-point rules 

Ziy: j[BSy\~ Syj[ S 2 : JV t St,F F A ft ind(So,S|,S 2 ,»S') 

So^t juBF,rF ah 

St it S 2 y: ft Sy\~BSyj\ co-ind(So,Si,S 2 ,S) 

So:^ ft h vflfft V 

Si Afl ^-unfold z ,(3 0 ,S 1 ) Sj: «/K ft h B(vB)F ft v-unfold s (S 0 ,Si) 

So^ftjuflf.rhAft Soi./Kf FvBft * 

Si: -IJ- B(vB)t\~ v-unfold L (5 0 ,Si) S t : h B(pB)t -U- /i-unfold fi (5 0 ,Si) 

So:JJ-vSfF L So: F pB 1 ft 

Figure 2: The pF a proof system results from adding these rules to p Ff. 

y stands for an list of fresh eigenvariables, t for an list of terms, and B for the abstraction of a formula 
over a predicate and a variable list. 

3.1 Core proof system 

Figures [T] and [2] contain the rules for the augmented focused proof systems p Ff and pF“. One could 
obtain the non-augmented systems pFo and pF by ignoring the certificates (annotated S variables) and 
the clerk and expert premises; the resulting rules would be no more than (slightly restricted) two-sided 
versions of the p MALLF rules. The various clerk and expert predicates are named and displayed in their 
corresponding inference rules. Notice that those inference rules that involve the use of eigenvariables 
(3l, V/?, p and v) require the associated clerk predicates to return abstractions over certificates: in this 
way, premise certificates can be applied to the eigenvariables. 

A key element of our proof theoretic treatment of model checking via pF a is the fact that focused 
sequents contain only one formula. This fact entails that pF a can only be complete with respect to 
pMALLF on a fragment where derivations satisfy this constraint. In particular, the JF and zones 
must never contain more than one formula, and never both at the same time. This can be ensured at least 
for the pFq subsystem by the following restriction on formulas. 

Definition 1 (switchable formula, switchable occurrence). A pF a formula is switchable if 

• whenever a subformula C A + D occurs negatively (under an odd number of implications), either C 
or D is purely positive; 

• whenever a subformula C I) D occurs positively (under an even number of implications), either C 
is purely positive or D is purely negative. 

An occurrence of a formula B is switchable if it appears on the right-hand side (resp. left-hand side) and 
B (resp. BZjf) is switchable. 

Notice that both a purely positive formula and its de Morgan dual are switchable. The follow theorem 
is proved by a simple induction on the structure of pF q proofs. 

Theorem 1 (switchability). Let FI be a p Ff derivation of either -ft-A F f or f) I - A , where the oc¬ 
currence of A is switchable. Every sequent in FI that is the conclusion of a rule that switches phases 
(either a decide or a release rule) contains exactly one occurrence of a formula and that occurrence is 
switchable. 
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Theorem [T] states that an invariant of the /i Ffi proof system (for switchable theorems) is that the 
number of non-purely asynchronous formulas (;. e. non-purely positive from jY and F, and non-purely 
negative from g? and A) is one or less. Keeping sequents mostly asynchronous allows the asynchronous 
phase to deal with most of the context: that way the synchronous phase is left with a single, meaningful 
formula. (The structure of focused proofs based on switchable formulas is similar to the structure of 
simple games in the game-theoretic analysis of focused proofs in 0 Section 4].) While the restriction to 
switchable formulas provides a match to the model checking problems we develop here, that restriction 
is not needed for using clerks and experts (the examples in 0 involve non-switchable formulas). 

3.2 Encoding of recursively defined predicates 

In order to exploit the properties of p Ff in model checking problems, we need them to extend to pF" 
by adding fixed-point rules. As those rules make use of the higher-order variables S (an invariant which 
is either a pre-fixed point or a post-fixed point) and B (the body of a predicate definition), they cannot 
be used freely without violating Theorem [T] We propose the following constraints on pF a proofs of 
switchable formulas so as to have exactly one formula per sequent when phases are switched: 

• “arithmetic” restriction: S and B are purely positive (resp. negative); 

• “model checking” restriction: S is purely negative (resp. positive), and the context does not trigger 
synchronous rules {■A / is empty, I is purely positive and A is purely negative). 

The former restriction would allow to extend the scope of the framework by handling simple theorems 
involving inductive definitions ( e.g. about natural numbers), but is not treated here. The latter restriction 
better suits our needs (since an asynchronous context fits the spirit of model checking) and is respected 
by all our examples. 

Example 2. Horn clauses (in the sense of Prolog) can be encoded as purely positive fixed point expres¬ 
sions. For example, here is the Horn clause logic program (using the XProlog syntax, the sigma Y\ 
construction encodes the quantifier 3Y) for specifying the graph in Figure^and its transitive closure: 
step a b. step b c. step c b. 

path X Y step X Y. path X Z sigma Y\ step X Y, path Y Z. 

We can translate the step relation into the binary predicate ■ —> ■ defined by 

p (XAXxXy. ((x = a) A + (y = b)) V ((x = b) A + (y = c)) V ((x = c) A + (y = ft))) 

which only uses positive connectives. Likewise, path can be encoded as path: 

p (XAXxXz.x —> z V (3y.x —> y A + Ayz )) 

In general, it is sensible to view any purely positive least fixed point expression as a predicate speci¬ 
fied by Horn clauses. (For example, SOS rules for CCS are easily seen as Horn clauses.) 

Example 3. Let the ternary predicate ■ —A • describe a labeled transition system. It can be defined as a 
purely positive fixed point expression of the form 

p (^XAXpXaXq. \/ ( -((P = 11 i) A + (a = vf) A + (q = w,-))) 

and the simulation and bisimulation relations can be defined as the following greatest fixed point expres¬ 
sions (note: the second contains both FT and A + ). Both of these formulas are switchable. 

V (ASA pXq .V 'adp'. p p' D 3q'.q —>■ q' A + Sp' q') ( sim ) 

V^XBXpXq. (dadp . p p D 3q'. q ——A q A + Bp' q') 

A -(dddcf .q —y q 1 D3p'.p —y p A + Bq p')) 


( bisim ) 
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Figure 3: (Un)reachability problem 

3.3 Common proof certificates 

The presentation of an FPC now involves the following three steps. 

1. Describe how unpolarized formulas should be polarized. 

2. Describe the structure of certificates S. This can be done, for example, by describing the signature 
of constructors for certificates. 

3. Define the clerk and expert predicates. 

To ease steps 2 and 3, we define the following certificate constructors (shown together with their types), 
which describe generic focused proof behaviors. The associated clauses can be included into any subse¬ 
quent clerks and experts definitions. 

The stop: cert certificate authorizes no search; it is to be used as a continuation certificate for other 
certificate constructors. 

The sync: cert->cert certificate constructor authorizes pF a to conduct an unbounded synchronous 
search for a proof before handing the search over to a continuation certificate. It has no clerks and its 
experts run an exhaustive non-deterministic search for V and 3. The experts for the right rules are: 

=e(sync(S)). V e (sync(S),sync(S), 1). 

A + f(sync(S),sync(E),sync(E)). V e (sync(S),sync(S),2). 

VT. 3 e (sync(S),sync(S), T). /i-unfold s (sync(S),sync(S)). 

re leaser (sync(E), E). 

The async: cert->cert certificate constructor is the dual of sync; it handles an asynchronous phase 
and has no experts apart from the decide rules. The clerks for the left rules are: 

= c(async(S),async(S)). V c (async(S),async(S),async(S)). 

A + c (async(S), async(S)). 

3 c (async(S), A.r. async(S)). ^t-unfolds(async(E),async(E)). 

store/.(async(S),async(E)). decideL(async(S),S). 

bipole,,: cert is actually short-hand for a chain of n async(sync(-)) before a final stop. It is used 
for bounded-depth search when simple search strategies would otherwise not terminate. We also write 
bipole: cert for bipole! = async(sync(stop)). 

The decproc: cert constructor is short-hand for bipoleoo, the unbounded version of bipole,,. It is a 
general purpose decision procedure used for automated and unguided proving. Its rules are similar to 
those from sync and async, and can be obtained via the equivalence decproc = async(sync(decproc)). 
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The two constructors inv and co-inv: (i->i->bool) ->cert->cert each take an explicit predicate 
S as parameter. It is expected to be proved to be an invariant with the help of bipole. 

VS.ind(inv(S,E),Ax. bipole,2,5) VS.co-ind(co-inv(S,E),E,Ax. bipole, S) 

We now turn our attention to describing how to formally define the four kinds of proof evidence 
mentioned earlier in Section[3] Some of the constructors defined above will be used in those definitions. 

4 Examples: certificates for graphs 

We use the notations from Example [2] to define • — y • and path. 

4.1 Lists as reachability certificates 

The natural choice for a certificate of the proof of h path(x,y) is an explicit path, i.e. a list of nodes 
starting right after x and ending right before y. In fact, this list L can be used directly as the proof 
certificate. Aside from the initial storey, no clerks are invoked in the process of checking this particular 
FPC. The following clauses defining the experts only use the provided information to instantiate the 
logical variables of the proof. 

MXML.3 e (X :: L,L,X). ML. A + e (L,sync(stop),L). VL.decides(L,L). 

MXML.M e (X :: L,X :: L, 2). ML. V e (ra7,sync(stop), 1). VL.^t-unfold^(L,L). 

In this setting, the sync(stop) certificate will terminate quickly since it is only searching through the term 
that defines • — y 

Example 4. In Figure^ (c) is reachable from (a), as witnessed by certificates like \b\, [b;c\b\, etc. 

4.2 Invariants as non-reachability certificates 

The non-reachability problem comes in two forms: if there are no loops in the graph, then a simple check 
of the set of nodes reachable from the first node provides a simple decision procedure; if there are loops, 
then induction is needed. 

In the first case, the decision procedure can directly be translated as an FPC for proving I— path(x,y). 
Example 5. In Figure^ (a) is not reachable from (d), as witnessed by async(stop). 

On the other hand, if the underlying graph has loops, then the rules of Figure [T] only do not allow 
proof search to terminate. As the body B of the path expression (i.e., the displayed formula without 
p) is purely positive, a bipole can prove that a chosen purely negative predicate S containing no fixed 
point expressions is an induction invariant (bipole: -ft BSxy h Sxy ff), which means that we can use the 
certificate constructor inv(S, •). Then we use another bipole as continuation certificate for this constructor 
to check that the invariant is adequate for the refutation of path(t,u) (bipole: f St li F • ft ). 

Here, the invariant can be chosen so as to represent the fact of not belonging to the set ML x { u }, 
where 8? is the reachable set of {/ }. 

Example 6. In Figure^ id ) is not reachable from (b), as witnessed by in v(S. bipole), where the invariant 

5 (builtfrom the set {b,c} x {d}) is 

XxXy. ((x = b A + y = d) V (x = c A + y = d )) D 
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5 Examples: certificates for labeled transition systems 

Bisimilarity and similarity are important relationships in the domain of process calculus and model 
checking. To illustrate how these can be captured as FPCs, we first restrict our attention to the existence 
of a simulation between finite labeled transition systems; bisimilarity is then addressed by expanding on 
this presentation. We define • —» • (for the LTS), sim (for simulated-by) and bisim (for bisinrulated-by) 
as seen in Example [3] 

5.1 Invariants as simulation certificates 

We shall consider two cases: one where the underlying transition system is noetherian and one where it 
is not. An LTS is said to be noetherian if there is no infinite sequence of transitions p\ —^ pj —4 • • • 
(in the setting of finite LTSs, this is equivalent to the absence of loops). 

In the noetherian case, there is a decision procedure to determine whether or not one process is simu¬ 
lated by another: one simply attempts to incrementally check simulation at every point. This systematic 
search can be described using the clerks and experts of the decproc certificate, which allows a proof to 
be built from any number of bipoles (one for each unfolding of the simulation predicate, which formula 
is itself bipolar - ). 

Example 7. In Figure [4] the process (1) is simulated by the process (6), as witnessed by the certificate 
decproc. 

In the more general (possibly non-noetherian) setting, we need to recall the formal definition of the 
simulation relation as a set. A binary relation S is a simulation if whenever (p,q) G S and whenever 
p —)• p' holds, then there exists a q' such that q —)• q' holds and (p' ,q') G S. We say that process p is 
simulated by process q if there is a simulation S such that (p,q) G S. 

Let S be a finite set of pairs and let S be the purely positive expression fx'ky. \J i pq \ e5 {x = p A + y = q). 
As the body B of the sim expression is a bipolar formula, a bipole can prove the closure condition 
for (finite) simulations (bipole: -ft Sxy h BSxy ft), so we can use the certificate constructor co-inv(5 : , •). 
Once again, we use another bipole as continuation certificate to complete the proof that p is simulated 
by q (bipole: ft • h Spq ft - ). 

Example 8. According to Figure [5] the set {(21,23), (22,24)} is a simulation and, therefore, the process 
(21) is simulated by the process (23). This corresponds to the following certificate 

co-inv{XxXy. (x = 21 A + y = 23) V (x = 22 A + y = 24), bipole ). 
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Figure 5: Non-noetherian labeled transition systems 


Providing an entire invariant as part of a proof certificate or restricting to the case when an invariant 
is finite certainly limits what kinds of simulation relationships can be proved. In general, invariants will 
not be finite and, even when they are, they arc large. It is for reasons such as this that there has been a 
great deal of work on bisimulation-up-to fT7llT8ll : generally, it is possible to discover and check a closure 
property of a much smaller relationship and then via various meta-theoretic properties, ensure that such 
closure properties entail the existence of a proper (bi)simulation. 

5.2 Assertions as non-simulation certificates 

Hennessy and Milner fill provided a characterization of bisimulation in terms of an assertion language 
over modal operators [a] and (a) . The characterization states that two processes are bisimilar if and only 
if they satisfy the same assertion formulas. Thus, if p and q are not bisimilar, there is some assertion 
formula A which is true for p and not for q. Formally, we write p |= A and q \f= A. 

It is possible to use such assertion formulas directly as proof certificates in the simpler and related 
problem of the absence of simulation, i.e. for theorems of the form I— >sirn(p.q). In that case, the 
assertion language needs only the diamond modality (•) as well as the conjunction. More formally, let 
Act be a set of actions. The restricted set of assertions over Act is given by the recurrence A := /\ ieI (cii)Aj, 
where / is a finite set and a l E Act; that is, we have a strict alternation of (indexed) conjunctions and the 
diamond modality. The statement p |= /\ ieI (ai)A[ means that, for every i E /, there exists a q, such that 
p q; and q; |= A,. We shall choose to write true for empty conjunctions and we can drop f\ ieI when 
/ is a singleton. Thus, (a)true stands for A ( ’e{.} ( a ) /\je{} (A,/}A,j. 

Some of the clerks and experts needed for this interpretation of an assertion as a certificate are listed 
below; the rest of the definition can be taken from the async constructor. 

V(a,);V(A,-) jij. decide^(/\ .(a,-)A,-, (a 7 -)A ; -)• VaVA. V e ((a)A,A,a). 

VA. D,,(A,sync(stop),A). VTVA. V e (A,A, T). 

VaVA. v-unfoldL((a)A, ( a)A ). VA.releaseL(A,A). 

Example 9. In Figure^ the process (6) is not simulated by the process (1): if S is the assertion formula 
(a) ((b) true A (c)true), then 6 j= S but 1 \f= S. 

5.3 Assertions as non-bisimilarity certificates 

It is possible to extend the FPC described in Section |5.2| to account for the absence of bisimulation in 
addition to the absence of simulation. As bisimilarity is finer than similarity, this will require a richer 
class of assertion formulas. The fact that it is a symmetric relation suggests that assertions should contain 
negations. 
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We could use full Hennessy-Milner logic (i.e. any arbitrary mix of (•), [•], V and A or, equivalently, 
(■), A and ->), but instead we choose the smaller but equivalent set of assertions defined by the following 
recurrence. 


A:=I\B, 

iei 

B := (ai)Aj | -i((a ; )A,) 


It can be shown that this set characterizes the same relation as full Hennessy-Milner logic. The statement 
p \= Bj means that, for every i £ /, p |= Bp, the statement p |= (a) A means that there exists a q such 
that p q and q |= A; and the statement p \= -> {(a)A) means that p \f= (a)A. 

Very little more is needed to extend the FPC to handle this certificate. We need to make sure that, 
in addition to certificates with a top-level (•), decide/, and v-unfold/, allow (and propagate) certificates 
with a top-level -i(-). We also need an expert to consume -i, and an expert to handle the additional A” 
connective (see the definition of bisimilarity from Example [3]). If we give these two roles to the same 
new expert, namely A~ e , the link between reflexivity and negations in the assertions appears clearly. 

The resulting set of clerks and experts for theorems of the form I— Fisim(p,q) is the following. 


VA.store/,(A,A). 

VS. v-unfold/, (#,£). 

VflVA. \/ e ( {a) A , A, a). 
VrVA.V e (A,A,r). 

VA.release/,(A,A). 

VA.3 C (A, Ax. A). 

VA. jU -unfold^ (A, A). 
VA. =c(A,A). 


V• decide L (/\ , Bj ). 

VaVA.A - e ( (a)A, (a)A, 1). 
VflVA. A _ , ; (-'(a)A, (a)A, 2). 
VA. D e (A,sync(stop),A). 

VA. A + C (A,A). 

VA. V C (A,A,A). 


This FPC extension is conservative, in that it can still check a certificate for non-simulation. 

Example 10. In Figure [?] the processes (6) and (10) are similar but not bisimilar: if S is the generalized 
assertion formula (a) ^(b) true, then 10 (= S but 6 |^= S. 


6 A reference proof checker 

The framework for foundational proof certificates described in Ifl3l l51 was based on proof theory without 
fixed point definitions. In that setting, a standard logic programming language (in that case, A Prolog 
lfT4lO was an ideal prototyping language for implementing and testing FPCs. The FPCs described in this 
paper are not so easily implemented in standard logic programming languages since the unification of 
eigenvariables must be done alongside the usual unification of “logic variables” that makes proof recon¬ 
struction possible. The implementation of AProlog, for example, considers eigenvariables as constants 
during unification. 

We have built a prototype proof checker for testing the FPCs described in this paper using the Bedwyr 
extension to logic programming |2T1 |H. That system, originally designed to tackle various kinds of 
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model checking problems, provides the necessary unification for logic and eigenvariables along with 
backtracking search and support for A-terms. A-conversion and higher-order pattern unification. 

One could have imagined implementing the non-augmented proof system pFo directly and in a sense, 
this is already done by Bedwyr itself. For example, if {fiBt) is a purely positive fixed point encoding a 
Prolog predicate, when the system is given the sequent P (pBt) Ij, it would emulate the Prolog search. 
Similarly, if it is given the sequent ft (pBl) F f|- , it would emulate a finite failing proof search. But, as 
anyone familiar with Prolog-style depth-first search knows, such proof search is limited in its effective¬ 
ness. For example, if one is attempting to prove that there is or is not a path between two points, a cycle 
in the underlying graph can make the search non-terminating. Bedwyr handles this with a loop-detection 
mechanism that can be embedded in the rules from Figure [2j making it a partial implementation of jiF. 

However, our goal with the jiF proof system is not to use it by itself, but together with clerks and 
experts, as the engine (as a “kernel”) for checking already existing proof evidence. Since the logic of 
the existing Bedwyr system has no native support for proof objects, we implemented pF a as an “object 
logic”, without using some native features such as loop-detection. The Bedwyr specification files that we 
use (available directly at http: //slimmer. gf orge . inria. f r/bedwyr/pcmc/, or from the authors’ 
homepages) are rather direct translations of the inference rules in Figures[l]and[2]as well as of the various 
FPCs listed in the previous few sections. It has thus been easy for us to experiment and test FPCs. 

While we have found the Bedwyr system to be useful for prototyping a proof checker, our proposal 
for FPC is not tied to any one particular implementation. Instead, the framework is defined using in¬ 
ference rules (such as found in Figures [T] and [2]). Any system that can implement the logical principles 
required by such inference rules can be used as a proof checking FPC kernel. 

7 Conclusion 

We have taken the basic structure of foundational proof certificates that had been developed elsewhere for 
first-order logic and described how it could be imposed on a logic based on fixed points. The resulting 
logic is much richer (think of the difference between first-order logic and first-order arithmetic) and 
additional logic principles need to be accounted for in the description of proof certificates. 

In the areas of model checking that we have discussed, proof evidence is often taken to be, say, a path 
through a graph, a set of pairs of nodes (satisfying certain closure conditions), or a Hennessy-Milner logic 
assertion formula. We have illustrated how each of these familiar objects can be easily transformed into 
hints to guide a proof checker though the construction of a detailed and complete sequent calculus proof. 
The architecture of focused proof systems and the clerk and expert predicates allow this conceptual gap 
(between familiar proof evidence and sequent calculus proofs) to be bridged in a flexible and natural 
fashion. 

We have also provided a novel look at the proof theory foundations of model checking systems by 
basing our entire project on the ^uMALL variant of linear logic and on the notion of switchable formulas. 
This latter notion seems to provide an interesting demarcation between the logically simpler notion of 
model checking and the more general notion of (inductive and co-inductive) deduction. 
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A On the augmented focusing proof system tdF a 

It should be noted that, although the system presents two left rules for the connective =, one with the 
clerk = s c for success and one with the clerk ={ for failure, the implementation is usually expected to 
have one single unification facility that, given an equation, will or will not succeed, and which is tied 
to one single clerk. If the unification fails, the rule succeeds immediately without generating a premise 
certificate Si, and the constraint on the conclusion certificate So is actually the same as for success. 
Hence the clerk ={ can be defined as an existential closure of = s c . Likewise, Fc can be defined in terms 
of p c . 


='(■) = (3S,.='(,S,)) #(■) = (3S,.5^(.,S,)) 

It is also possible to remove the truth and falsity connectives, as we expect to have the equivalences 

t + = (a = a) f + = (a = b) 

f~ = (a F a) t~ = (a F b ) 

if a and b are distinct constants, hence the following: 

t+ — —S t + = = s f + = =f 

fc = tc = Fc 

Last, it is customary to leave clerks and experts out of rules with no premises (i.e. t+, = s e , /“, /i, 
/+, =c, t~ and Fc). This has the same effect as setting them to be always true. 

The system presented in Figures |T| and [2] does not have these simplifications, but the Bedwyr-based 
implementation does. 

B A simple example of a fiF proof 

The following proof can be seen as the justification that {1,3} C {1,2,3}. In particular, encode these 
two sets as the predicates (i.e., abstractions over formula): 

A.r[x = 1 Vx = 3] and Xx[x = 1 Vx = 2 Vx = 3]. 

The sequent calculus proof of inclusion can then be written as the following focused proof. 


fe =F f e 


F 1 = U} F 3 = 3 !} 

h 1 = 1V1 =2V1 = 3{i F 3 = 1V3 = 2V3 = 3{1- 

fr F fr 1 = 1 VI = 2V1 =3 ff F ff 3 = 1V3 = 2V3 = 3 

t F 1 = 1 VI = 2V1 = 3T 1} F3 = 1V3 = 2V3=TT 

frx=lFx=lVx = 2Vx = 3fr -frx = 3Fx=lVx = 2Vx = 3{r 
1} x = 1 Vx = 3 F x = 1 Vx = 2 Vx = 3 fr 
1} F[x=lVx = 3]D[x=lVx = 2Vx = 3]-fr 
-fr F Vx. [x = 1 V x = 3] D [x = 1 V x = 2 V x = 3] fr 















